iOS passcode bug squashed once again with iOS 6.1.3 release

iOS 6.1.3 is now available; also comes with Maps improvements in Japan.

More than a month after security researchers pointed out a new passcode bug in iOS, Apple has patched it with the release of iOS 6.1.3. The software update, released over the air or via iTunes, is mainly aimed at addressing the security vulnerability that allowed attackers to get around an iOS device's passcode by performing a series of steps. Apple says that iOS 6.1.3 also comes with "improvements to Maps in Japan."

It was mid-February when reports began to spread that an old vulnerability in the iPhone's emergency call feature had resurfaced as part of iOS 6.1. As we wrote at that time, "[w]ith the right sequence of button clicking, it's possible to get to an iPhone user's voicemails, contacts, and photos—even if the iPhone is locked and password protected." A couple weeks later, different researchers pointed out another way to get around the iPhone's lock screen based on the same vulnerability. Apple released iOS 6.1.2 in the meantime, but it did not fix the passcode bug with that update.

As rumored, however, iOS 6.1.3 does in fact address the passcode lock screen vulnerability. Since this is a security concern that could affect many iOS device users, we certainly recommend installing it as soon as you get the chance. But be warned: if you've jailbroken your iOS 6.1.x device, we're hearing that 6.1.3 update fixes one of the security holes that enables the evasi0n jailbreak. In that case, update at your own risk.

According to the security update email Apple just sent out there are 6 security vulnerabilities fixed by the iOS 6.1.3 update.

-------------------APPLE-SA-2013-03-19-1 iOS 6.1.3

iOS 6.1.3 is now available and addresses the following:

dyldAvailable for: iPhone 3GS and later,iPod touch (4th generation) and later, iPad 2 and laterImpact: A local user may be able to execute unsigned codeDescription: A state management issue existed in the handling ofMach-O executable files with overlapping segments. This issue wasaddressed by refusing to load an executable with overlappingsegments.CVE-IDCVE-2013-0977 : evad3rs

KernelAvailable for: iPhone 3GS and later,iPod touch (4th generation) and later, iPad 2 and laterImpact: A local user may be able to determine the address ofstructures in the kernelDescription: An information disclosure issue existed in the ARMprefetch abort handler. This issue was addressed by panicking if theprefetch abort handler is not being called from an abort context.CVE-IDCVE-2013-0978 : evad3rs

LockdownAvailable for: iPhone 3GS and later,iPod touch (4th generation) and later, iPad 2 and laterImpact: A local user may be able to change permissions on arbitraryfilesDescription: When restoring from backup, lockdownd changedpermissions on certain files even if the path to the file included asymbolic link. This issue was addressed by not changing permissionson any file with a symlink in its path.CVE-IDCVE-2013-0979 : evad3rs

Passcode LockAvailable for: iPhone 3GS and later,iPod touch (4th generation) and later, iPad 2 and laterImpact: A person with physical access to the device may be able tobypass the screen lockDescription: A logic issue existed in the handling of emergencycalls from the lock screen. This issue was addressed through improvedlock state management.CVE-IDCVE-2013-0980 : Christopher Heffley of theMedium.ca,videosdebarraquito

USBAvailable for: iPhone 3GS and later,iPod touch (4th generation) and later, iPad 2 and laterImpact: A local user may be able to execute arbitrary code in thekernelDescription: The IOUSBDeviceFamily driver used pipe object pointersthat came from userspace. This issue was addressed by performingadditional validation of pipe object pointers.CVE-IDCVE-2013-0981 : evad3rs

WebKitAvailable for: iPhone 3GS and later,iPod touch (4th generation) and later, iPad 2 and laterImpact: Visiting a maliciously crafted website may lead to anunexpected application termination or arbitrary code executionDescription: An invalid cast issue existed in the handling of SVGfiles. This issue was addressed through improved type checking.CVE-IDCVE-2013-0912 : Nils and Jon from MWR Labs working with HPTippingPoint's Zero Day Initiative

My understanding is that the passcode bug does not apply if you are using non-simple passcodes (e.g., more than 4 numbers). Four character passcodes are this close to useless, anyway, so it doesn't seem 6.1.3 is worth updating to.

Unless, of course, you know the limitations of a 4-digit passcode and are merely trying to keep your jerk of a roommate from searching your phone, looking for nudes of your girlfriend every damn time you leave your phone on the kitchen counter. FOR THE LAST TIME, THERE AREN'T ANY ON MY PHONE DAVE!

My understanding is that the passcode bug does not apply if you are using non-simple passcodes (e.g., more than 4 numbers). Four character passcodes are this close to useless, anyway, so it doesn't seem 6.1.3 is worth updating to.

I initially voted you down because I didn't know iPhone's weren't limited to the stupid four digit "simple" passcodes. But I Googled and learned the truth and now my phone is much better protected.

I still think the comment that 6.1.3 isn't worth updating to, especially in light of the other security fixes, is a troll. But thank you anyway.

... I still think the comment that 6.1.3 isn't worth updating to, especially in light of the other security fixes, is a troll. But thank you anyway.

Everything is a matter of perspective, methinks. If granroth jailbroke his phone, he may be weighing the advantages of the non-jailbreak specific bug fixes against the advantages of the features he got by jailbreaking.

Speaking of which... have any other jailbreakers taken the risk, and updated to 6.1.3? If so, how did things go? I mean, I'm assuming that your Cydia mods get killed, but are there any other ill effects?

My understanding is that the passcode bug does not apply if you are using non-simple passcodes (e.g., more than 4 numbers). Four character passcodes are this close to useless, anyway, so it doesn't seem 6.1.3 is worth updating to.

I initially voted you down because I didn't know iPhone's weren't limited to the stupid four digit "simple" passcodes. But I Googled and learned the truth and now my phone is much better protected.

I still think the comment that 6.1.3 isn't worth updating to, especially in light of the other security fixes, is a troll. But thank you anyway.

A troll? How so?

1. Having a complex passcode offers far better security than a simple one, making it the obvious choice for a passcode no matter what2. With a complex passcode in place, the 6.1.3 update has no practical benefit3. With 6.1.3 installed, my jailbreak (likely) fails and I'm left out in the cold with the features that I require

My understanding is that the passcode bug does not apply if you are using non-simple passcodes (e.g., more than 4 numbers). Four character passcodes are this close to useless, anyway, so it doesn't seem 6.1.3 is worth updating to.

Granroth, I successfully used the workaround on an iPhone 5 with a complex passcode. This is definitely worth the update.

Also, someone mentioned the device wipe after ten failed unlock attempts. It's a great feature IF you have it enabled. It is disabled by default.

Four character passcodes are this close to useless, anyway, so it doesn't seem 6.1.3 is worth updating to.

I think that's quite an exaggeration. Four digits allow 10.000 combinations and after ten wrong entries the phone erases itself. That makes the odds of getting in fairly small.

The odds are 1:1000, assuming that the attacker tries 10 unique passcodes.

How many iPhones in the wild? Millions? Attackers will guess the 4 digit passcode on many thousands of them.

That's all assuming the phones are configured to auto erase after 10 wrong passcodes. If not, it only takes about 3-5 hours to try all 10000 combinations by hand.

Even if the phone isn't set up to auto-erase, the phone is semi-permanently locked after 10 incorrect entries in a row and needs to be hooked up to iTunes on a computer with the owner's iTunes account to unlock it again. So it's not like someone can just pound away with different passcodes indefinitely.

Good to see Apple releasing security updates for the 3GS, which was released in 2009.

Android and WP fanboys: how many of your 2009 era phones can you say the same for?

How many Android phones which shipped with Android 2.0 can now run Android 4.X?How many Windows phones which shipped with Windows Mobile 6.5 be upgraded to Windows Phone 8.X?

Sigh. Yes they continued to support the 3GS which is nice. But you could still buy one new in like September of last year. How many new Android 2.0 phones and Windows Mobile 6.5 phones were available new(not old stock either) in September? I'd guess zero. If Apple wasn't selling it until last year it would have already stopped getting updates like the iPad, but they needed something to compete with $0 Android phones so they kept making it. But don't think Apple's long term support of the 3GS is out of the kindness of their heart.

I love how my iPhone gets regular security updates! The walled garden is winning for me. If a bug is found it is only a matter of a few weeks and it will be fixed. Thank you Apple for giving me the most secure consumer smartphone out there.

Did this update kill the HiddenApp trick? I know Apple became aware of and punished/banned the developer over it, so I wouldn't be surprised. There's going to be a lot of sour people out there if it did.

Impact: A local user may be able to determine the address ofstructures in the kernel

Impact: A local user may be able to change permissions on arbitraryfiles

Impact: A local user may be able to execute arbitrary code in thekernel

Explain how these represent security flaws. Explanations that rely on the idea that users need to be 'protected' from being able to use their device fully need not apply.

Because they allow a user to "jailbreak" the device and get around sandbox restrictions. A device without working sandbox restrictions can expose data. Yes, the user put the phone in this state, but it's opened up to many security compromises in this state. For a while, jailbroken iPhones were all open to remote SSH exploits because the root password was enabled and users didn't know it.

Also, for iPhones that are used in a corporate setting (BYO devices are quite common in this respect), jailbroken phones open up companies to security risks, as well as to the possibility of having pirated software on them. Not something a company would be overly fond of taking the risk on.

Even if the phone isn't set up to auto-erase, the phone is semi-permanently locked after 10 incorrect entries in a row and needs to be hooked up to iTunes on a computer with the owner's iTunes account to unlock it again. So it's not like someone can just pound away with different passcodes indefinitely.

..and it means nothing to have the 10 attempt limit. By connecting a cable and getting an encrypted dump of the phone, you have as many attempts as you like to brute force the key and get the contents. Scanning 10,000 passwords takes a few minutes, if that. Tools are available to do that, and used by law enforcement (who are the most likely people to have physical access to your phone against your wishes and want to search it)

That's why non-simple keys are required. Not to stop the casual person trying random codes on the phone itself, but to stop decryption of the contents of the phone offline.

My understanding is that the passcode bug does not apply if you are using non-simple passcodes (e.g., more than 4 numbers). Four character passcodes are this close to useless, anyway, so it doesn't seem 6.1.3 is worth updating to.

Granroth, I successfully used the workaround on an iPhone 5 with a complex passcode. This is definitely worth the update.

Also, someone mentioned the device wipe after ten failed unlock attempts. It's a great feature IF you have it enabled. It is disabled by default.

I second thie point that the workaround worked identically for complex pass codes. I've demonstrated this, with permission, on my friends' iPhones on a couple of occasions. They were all pretty surprised. Good thing the official fix is out now.

Even if the phone isn't set up to auto-erase, the phone is semi-permanently locked after 10 incorrect entries in a row and needs to be hooked up to iTunes on a computer with the owner's iTunes account to unlock it again. So it's not like someone can just pound away with different passcodes indefinitely.

..and it means nothing to have the 10 attempt limit. By connecting a cable and getting an encrypted dump of the phone, you have as many attempts as you like to brute force the key and get the contents. Scanning 10,000 passwords takes a few minutes, if that. Tools are available to do that, and used by law enforcement (who are the most likely people to have physical access to your phone against your wishes and want to search it)

That's why non-simple keys are required. Not to stop the casual person trying random codes on the phone itself, but to stop decryption of the contents of the phone offline.

I'm pretty sure the passcode is just to lock the interface and has naught to do with the encryption present on the storage itself. Not that I disagree about passcodes in general; simple passcodes are inherently insecure anyway.

Although one thing that will make a dump harder is that you can't access the phone by cable (with the MobileDevice service) on an unlinked PC without knowing the passcode on the phone. Of course this means a lot less if you can jailbreak the device.

Edit: Somebody downvoted this? If you want to get a dump of the phone (read: access it over USB), the phone has to be unlocked. You can't unlock the phone without the passcode. The entire filesystem is encrypted in addition to whatever files are individually encrypted with the passcode through the data protection API in iOS. Unless you have a bootloader exploit or something of that nature at this level, you won't get what you're looking for without tearing the device apart.

That's why non-simple keys are required. Not to stop the casual person trying random codes on the phone itself, but to stop decryption of the contents of the phone offline.

Data Protection also gets entropy from the UID of the device, which is a 256bit key. So it's practically impossible to brute force the decryption offline, short of reading the UID from the silicon with an electron microscope*...

*EDIT: I actually have no idea what tools you would need, electron microscope was a guess.

..and it means nothing to have the 10 attempt limit. By connecting a cable and getting an encrypted dump of the phone, you have as many attempts as you like to brute force the key and get the contents. Scanning 10,000 passwords takes a few minutes, if that. Tools are available to do that, and used by law enforcement (who are the most likely people to have physical access to your phone against your wishes and want to search it)

That's why non-simple keys are required. Not to stop the casual person trying random codes on the phone itself, but to stop decryption of the contents of the phone offline.

Did you remember to dump the encryption key that's burned into the CPU? That one is not directly accessible, unless you uncap the SOC and read the fuse cells manually. It's theoretically possible, if you have that kind of money for an attack then I have a gold plated $50,000 wrench that will extract information from the owner much faster.

Good to see Apple releasing security updates for the 3GS, which was released in 2009.

Android and WP fanboys: how many of your 2009 era phones can you say the same for?

How many Android phones which shipped with Android 2.0 can now run Android 4.X?How many Windows phones which shipped with Windows Mobile 6.5 be upgraded to Windows Phone 8.X?

Sigh. Yes they continued to support the 3GS which is nice. But you could still buy one new in like September of last year. How many new Android 2.0 phones and Windows Mobile 6.5 phones were available new(not old stock either) in September? I'd guess zero. If Apple wasn't selling it until last year it would have already stopped getting updates like the iPad, but they needed something to compete with $0 Android phones so they kept making it. But don't think Apple's long term support of the 3GS is out of the kindness of their heart.

I see that a number of people voted you down, which I think is somewhat odd; perhaps you didn't offer enough details. I'm actually curious about the context of your comment: Did you jailbreak previously? If not, which model and carrier are you using?

I jailbroke my iPhone 4, (on Verizon) which is why I ask. If your phone was only temporarily bricked because you jailbroke and tried the over-the-air update, and then performing a standard restore via iTunes fixed the problem, (but lost you your jailbreak mods, obviously) then all that means is that jailbreakers are required to use iTunes if they want to install 6.1.3, which wouldn't be all that terrible. If that's the case, I think this would be very useful to know...

That's why non-simple keys are required. Not to stop the casual person trying random codes on the phone itself, but to stop decryption of the contents of the phone offline.

Data Protection also gets entropy from the UID of the device, which is a 256bit key. So it's practically impossible to brute force the decryption offline, short of reading the UID from the silicon with an electron microscope...

It's a two step decode - the data itself is encrypted with a highly random secure key - it's impossible to brute force that in one hit. That password is then encrypted based on your lock code. That way, changing the lock code doesn't require reencrypting everything, just that single password. So they brute force the lock code to get the really secure key.

Good to see Apple releasing security updates for the 3GS, which was released in 2009.

Android and WP fanboys: how many of your 2009 era phones can you say the same for?

How many Android phones which shipped with Android 2.0 can now run Android 4.X?How many Windows phones which shipped with Windows Mobile 6.5 be upgraded to Windows Phone 8.X?

Sigh. Yes they continued to support the 3GS which is nice. But you could still buy one new in like September of last year. How many new Android 2.0 phones and Windows Mobile 6.5 phones were available new(not old stock either) in September? I'd guess zero. If Apple wasn't selling it until last year it would have already stopped getting updates like the iPad, but they needed something to compete with $0 Android phones so they kept making it. But don't think Apple's long term support of the 3GS is out of the kindness of their heart.

To be fair, the original comment was about Android 2.0, not 2.x; 2.3 was released in late 2011, so though it's bad current phones are sold with it (or worse - 2.2, as is done here in Australia), it's not quite 2009 territory.

Good to see Apple releasing security updates for the 3GS, which was released in 2009.

Android and WP fanboys: how many of your 2009 era phones can you say the same for?

How many Android phones which shipped with Android 2.0 can now run Android 4.X?How many Windows phones which shipped with Windows Mobile 6.5 be upgraded to Windows Phone 8.X?

Sigh. Yes they continued to support the 3GS which is nice. But you could still buy one new in like September of last year. How many new Android 2.0 phones and Windows Mobile 6.5 phones were available new(not old stock either) in September? I'd guess zero. If Apple wasn't selling it until last year it would have already stopped getting updates like the iPad, but they needed something to compete with $0 Android phones so they kept making it. But don't think Apple's long term support of the 3GS is out of the kindness of their heart.

I see that a number of people voted you down, which I think is somewhat odd; perhaps you didn't offer enough details. I'm actually curious about the context of your comment: Did you jailbreak previously? If not, which model and carrier are you using?

I jailbroke my iPhone 4, (on Verizon) which is why I ask. If your phone was only temporarily bricked because you jailbroke and tried the over-the-air update, and then performing a standard restore via iTunes fixed the problem, (but lost you your jailbreak mods, obviously) then all that means is that jailbreakers are required to use iTunes if they want to install 6.1.3, which wouldn't be all that terrible. If that's the case, I think this would be very useful to know...

I don't jailbreak. I tried to update over the air. The restore worked fine though.